Part 2: So, you need to negotiate a contract with a Cloud provider?

April 8, 2011

In my previous post I shared my experience negotiating Demand Pricing and Data Ownership concepts as part of contracting with a cloud provider. Today I’ll tackle what I consider one of the most difficult components of a cloud contract, Security. I’m hoping others will share their experience in this area, because I don’t believe anyone has the final answer for how to negotiate these complicated concepts, especially when one considers the myriad of types of cloud providers and services offered.

SecurityThankfully for contract negotiators there already has been some standardization regarding contractual security requirements. One standard is the Statement of Accounting Standards number 70, or SAS70, report. Your contract should specify that you receive an annual copy of the vendor’s SAS70 report. It’s important to verify, prior to signing the contract that the vendor’s current SAS70 report covers the systems and processes for which you will be contracting. I know that sounds simple, but I’m always amazed to see SAS70 reports that cover processes and procedures, and even systems, that have no relation to what I’m purchasing. Of course, for any vendor collecting or processing credit card information, the standard you should insist on is adherence to the PCI Data Security Standard (PCI DSS). To verify the vendor is in compliance, require them to send you their internal or external audit verification of their compliance on an annual basis, or just negotiate that they will maintain compliance with the latest published standard and notify you of any areas where they are out of compliance while specifying remediation plans and timelines for each out-of-compliance area.

For theft of your data, whether that data is managed in your data center, or your data is in the cloud, your company should have Privacy & Network Liability insurance. A key contractual clause in your insurance policy should state that the policy covers any contracted vendor who manages/hosts, or otherwise accesses your data. This will ensure you have insurance to help your company cover the cost of addressing a breach that occurs with your cloud provider.

There are too many areas of security to discuss in detail, so I’ll just highlight other areas you should ensure you cover, both in your due diligence and contract negotiations.

Encryption of your data in transit, and encryption of data you specify in storage and backup

Your data should be treated as Confidential Information

The cloud service will not contain or transmit malicious code

Require the vendor to indemnify you against their unauthorized use of disclosure of your data caused by the vendor or a security breach of their service

Vendor shall not access your customer data except for purposes of providing the service

Vendor shall only use, access or permit access to your customer data in compliance with applicable laws and governmental regulations

Require an SLA for the vendor to notify you of any security breach, even if they are not sure whether your customer data has been breached (you don’t want to find out about vendor security breaches in the press!)

Negotiate the ability to perform vulnerability scans on the vendor’s cloud service using your tools, and negotiate an SLA for the vendor to remediate any high and medium vulnerability findings; an alternative is for the vendor to share you with you on a periodic basis their own 3rd party vulnerability scan data and remediation efforts

Ensure you have the right to conduct on-premise investigations at the cloud provider’s data centers and support locations if your data is breached

I’d be interested in hearing other areas that all of you have included to protect the security of your data and services you perform in the cloud.

Contributors

Eric Dirst is Senior Vice President and Chief Information Officer for DeVry Inc. DeVry Inc. is a publicly-held, global provider of educational services and is the parent organization of Advanced Academics, Apollo College, Becker Professiona... More View all posts

Eric Dirst is Senior Vice President and Chief Information Officer for DeVry Inc. DeVry Inc. is a publicly-held, global provider of educational services and is the parent organization of Advanced Academics, Apollo College, Becker Professional Review, Chamberlain College of Nursing, DeVry University, Fanor, Ross University, and Western Career College. DeVry's institutions offer degree and non-degree programs in business, healthcare and technology. Dirst, who joined DeVry in 2008 as Vice President and CIO, brings 23 years of experience within the information technology field. Eric joined DeVry from SIRVA Inc., a global provider of relocation and moving services for consumers, corporations and governments. SIRVA's brands include Allied International, Allied Van Lines, North American Van Lines, and SIRVA Relocation. While at SIRVA, Eric served most recently as Vice President and Chief Information Officer where he was responsible for streamlining business processes, consolidating operations and maximizing ROI. Under Eric's leadership, SIRVA was named to CIO Magazine's Top 100 Innovative Organizations in 2006 for its effective use of IT to create business value. Prior to SIRVA, Eric held senior positions with firms including IQ4hire Inc., KPMG Peat Marwick, and Covansys, a NASDAQ company which was acquired by Computer Sciences Corporation (CSC) in 2007. Eric is a member of the CIO Leadership Network and the Midwest Technology Executives Club. LessView all posts